Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Radware’s inquiry into the botnet led it to a command-and-control server hosted at the site San Calvicie, which offers not only multiplayer mod support for Grand Theft Auto: San Andreas, but also DDoS attacks for a fee.

Enthusiasts of the venerable videogame series, which places players in an immersive 3-D world of violence and vicarious thrills, have created an extensive universe of add-on features and tweaks, or “mods,” in the name of enriching and extending their experience. Sites such as San Calvicie cater to GTA gamers who want to host their own custom versions of GTA for multiplayer action.

“The Corriente Divina (‘divine stream’) option is described as ‘God’s wrath will be employed against the IP that you provide us,” Geenens wrote of the site’s DDoS offering. “It provides a DDoS service with a guaranteed bandwidth of 90-100 Gbps and attack vectors including Valve Source Engine Query and 32 bytes floods, TS3 scripts and a ‘Down OVH’ option which most probably refers to attacks targeting the hosting service of OVH, a cloud hosting provider that also was a victim of the original Mirai attacks back in September 2016. OVH is well known for hosting multi-player gaming servers such as Minecraft, which was the target of the Mirai attacks at the time.”

Shortly after Geenens made his initial discovery, he returned to the site and found that the terms of engagement had changed. Now the listing included a reference to “bots,” and offered a DDoS volume of between 290 and 300 Gbps, for the same low price of $20 a pop.

While derived from established code, the San Calvicie-hosted botnet, which Geenens has dubbed “JenX”, is deployed in a different manner than its predecessors.

“Untypical for IoT botnets we have witnessed in the past year, this botnet uses servers to perform the scanning and the exploits,” he wrote. “Nearly all botnets, including Mirai, Hajime, Persirai, Reaper, Satori and Masuta perform distributed scanning and exploiting. That is, each victim that is infected with the malware will perform its own search for new victims. This distributed scanning provides for an exponential growth of the botnet, but comes at the price of flexibility and sophistication of the malware itself.”

The danger from JenX should be mostly confined to GTA San Andreas users, Gessens said, but with a stern caveat.

“[T]here is nothing that stops one from using the cheap $20 per target service to perform 290 Gbps attacks on business targets and even government related targets,” he wrote. “I cannot believe the San Calvicie group would oppose to it.”

Radware filed abuse notifications related to JenX, resulting in a partial takedown of the botnet’s server footprint, but it remains active. JenX’s implementation makes taking it down a tricky task.

“As they opted for a central scan and exploit paradigm, the hackers can easily move their exploit operations to bulletproof hosting providers who provide anonymous VPS and dedicated servers from offshore zones,” he wrote. “These providers do not care about abuse. Some are even providing hosting services from the Darknet. If the exploit servers would be move to the Darknet, it would make it much more difficult to track down the servers’ location and take them down.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.